We offer an embedding of CPython that runs entirely in memory without "touching" the disk. This in-memory embedding can load Python scripts directly from memory instead these scripts having to be loaded from files on disk. Malware that resides only in memory is harder to detect or mitigate against. We intend for our work to be used by security researchers to rapidly develop and deploy offensive techniques that is difficult for security products to analyze given these instructions are in bytecode and only translated to machine-code by the interpreter immediately prior to execution. Our work helps security researchers and enterprise Red Teams who play offense. Red Teams want to rapidly prototype malware for their periodic campaigns and do not want their malware to be detected by the Incident Response (IR) teams prior to accomplishing objectives. Red Teams also have difficulty running malware in production from files on disk as modern enterprise security products emulate, inspect, or quarantine such executables given these files have no reputation. Our work also helps enterprise Hunt and IR teams by making them aware of the viability of this type of attack. Our approach has been in use in production for over a year and meets our customers' needs to quickly emulate threat-actors' tasks, techniques, and procedures (TTPs).
翻译:我们提供一种完全在记忆中运行而不“触摸”磁盘的CPython嵌入。 这种模拟嵌入可以直接从记忆中装入 Python 脚本, 而不是从磁盘上装入这些脚本。 仅存于记忆中的Malware 更难检测或减轻防患于未然。 我们打算让安全研究人员利用我们的工作迅速开发和部署进攻性技术,因为安全产品难以分析这些指令,这些技术是用字典,并且只有翻译在实施前立即将其翻译成机器编码。 我们的工作有助于安全研究人员和企业红队玩犯罪。 红队希望快速原型恶意软件用于其定期运动,而不希望事故反应小组在实现目标之前发现他们的恶意软件。 红队也难以在磁盘上运行恶意软件,因为现代企业安全产品复制、检查或隔离这些文件没有名声。 我们的工作还帮助企业亨特和IR 团队了解这类袭击的可行性。 我们的方法在生产过程中迅速应用, 并满足客户对威胁的需求。
相关内容
微信扫码咨询专知VIP会员